How to ARP Spoof – Sniffing LAN traffic

r00tk1ll's picture
Submitted by r00tk1ll on Tue, 04/15/2008 - 04:16.

This is a four part tutorial covering the most common situations in which ARP spoofing is utilized and the mechanics involved. In this segment I will cover basic Ethernet sniffing utilizing tools available in Backtrack to capture plain text packets and read their content with Ettercap's GUI. Please maintain your ethics and dont misuse this information, I am not responsible for any illegal activities!

How this tutorial is divided:
This tutorial assumes you have a good understanding of how ARP works within a LAN and the concepts involved in basic ARP spoofing. If you do not please review my ARP spoofing powerpoint.

The ARP Protocol and ARP Spoofing
Powerpoint

Tutorial Quick Links:
Part 1: Sniffing LAN Traffic
Part 2: Man in the Middle Attacks (MITM)
Part 3: Denial of Service (DoS)
Part 4: Using Filters

Part 1: LAN sniffing using ARP Spoofing

Description of the attack:
An attacker on the local network spoofs the gateway and the selected host’s MAC addresses. All traffic is forwarded to him, the attacker then can manipulate the traffic in any way he wants and forward the altered data on to its original destination, this kind of spoofing is called “Active Spoofing”. Also the attacker could just silently monitor the traffic while forwarding it back and forth, this kind of spoofing is called “Passive Spoofing” and it is what I will demonstrate in this segment.

Technical Note:
The reason why ARP spoofing plays such an important role in our modern networks is because we use switches to connect our internal nodes. Unlike in the old days where everything was connected to a hub and data was broadcasted out every port, switches separate “Collision Domains” meaning that data is sent through one port and transmitted out only a single port to the proper destination. Since this is the case even if you are connected to the same switch you cannot intercept packets that are not broadcasted or sent directly to you.

Setting up for the Attack (Equipment Needed):
A Victim PC
Attacker PC running Backtrack 2 or later
A switch or switched gateway (preferably with internet connection)

Step 1: Enumeration
In this scenario we will target an individual host and his gateway and route data between them, so the first step is to scan the entire subnet for hosts. For this we will use Ettercap, in Backtrack go to the KDE Menu -> Backtrack -> Privilege Escalation -> Sniffers -> Ettercap. Once open choose Sniff -> Unified Sniffing (Bridged Sniffing is for if you have 2 NICs) then specify your interface (usually eth0). Now click Hosts -> Scan for Hosts. Ettercap will scan your entire subnet for all hosts and add the results to the hosts list. Now choose Hosts -> “Hosts list” to view the findings.

Enumeration

Step 2: Targeting
With the Hosts List open click on your gateway then click “add to target one”. Next select the host you want to target and click “add to target 2”. If you don’t select a secondary target Ettercap will assume you want to target all hosts on the network. Now close the Hosts list and open Targets -> Current Targets and verify you have the correct targets.

Targeting

Step 3: Spoofing the Network
To launch our poisoning attack click Mitm -> Arp Poisoning, then check "Sniff Remote Connections", and select OK (“One way sniffing” is for poisoning from target 1 to target 2). You may also notice there is a status window in the bottom pane that displays information about your current settings. Now click Start -> Start Sniffing and the attack is underway.

Spoofing

Step 4: Sniffing the Transmissions
My weapon of choice for this has always been ethereal, now known as Wireshark. Open it by going to KDE Menu -> Backtrack -> Privilege Escalation -> Sniffers -> Wireshark or simply typing “wireshark” in the run command box. In Wireshark we need to first configure our capture interface by clicking Capture -> Options.

Sniffing

Here you need to select the appropriate NIC that you will be capturing data on under the interface dialog box, again it is usually eth0. Also verify that “capture packets in promiscuous mode” is selected. Now under Display Options check “Update list of packets in real time” and “Automatic scrolling in live capture”. These options are just my preferences and they are not necessary. Once you hit OK Wireshark will begin capturing everything that comes to the specified interface.
Now you will end up gathering a lot of packets which makes it almost unmanageable to search through all the traffic. This is where Wireshark’s filters come in handy. There are many different filters you can use so I will only specify the ones used in this tutorial, you can access the common filters by clicking the “filters” icon to the left of the filter bar.

Sniffing 2

Step 5: Selective Filtering
When targeting a specific host I like to choose the “IP Address 192.168.0.1” filter, in the green box below change 192.168.0.1 to the proper host IP and hit apply. You may now notice that the packet results change to traffic specific to that host.

Selective Filtering

Generally the most interesting traffic is http so by adding the string “&& http” after the filter command Wireshark filters all http traffic to and from a specific host. Now here is where you have to either know what you are looking for or do allot of packet searching.

Selective Filtering 2

Step 6: Finding the Unencrypted login
Finally we can target a specific type of http transaction to view insecure webpage logins, in your filter box type in “ip address == 192.168.X.X && data-text-lines” which takes us right to a user form submission sent over the wire in plain text (in this case holding the username and password). Notice that you have to expand the lower layers of the HTTP packet until you get to the data that was posted from the http form. When you explore through the line you see “ID=test&Password=mypass”. Note that the data-text-lines filter can be applied by itself to filter every form of this type allowing you to watch all traffic for this type of transmission

Unencrypted Login

Forward:
Using these techniques you can filter and search your way through heavy traffic extracting exactly what you want. Expanding further on this idea you can explore the “Expressions” menu for a plethora of filter expressions such as AIM, VoIP, http authentication session, and basically any other packet type you wish to sort by. If you end up finding a packet of particular interest you can always right click it and say “Apply as Filter”.

Filters

Please maintain your ethics and dont misuse this information, I am not responsible for any illegal activities!
Part 2: Man in the Middle Attacks (MITM)

As usual post any questions up and they will get answered
r00tk1ll - BeyondTheBit

  • Delicious
  • Digg
  • StumbleUpon
  • Reddit
  • Magnoliacom
  • Technorati
  • Icerocket